Advisory: *.com accepted as wildcard match in SSL/TLS name matching

September 1, 2009

Summary

Certificate authorities are expected to vet all certificate registrations, but may fail to prevent fraudulent or erroneous registrations. Certificates which use a wild card immediately before the top level domain, or nulls in the domain name, may pass validation checks in Opera. Sites using such certificates may then incorrectly be presented as secure.

Severity

Moderate severity

Opera's response

Opera Software has released Opera 10.00, where this issue has been fixed.

Credits

Thanks to Dan Kaminsky for reporting this issue to Opera Software.